Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3800
Views
0
Helpful
6
Replies

Move Site-Site VPNs to new interface

Go to solution
gregbeifuss
Level 1
Level 1

‎09-04-2012 09:00 AM

Hello,

We have 2 site-to-site VPN tunnels in our organization - both remote sites connect to the same firewall at our head office. All 3 firewalls are ASA5510's running 8.4 code.

We want to have VPN tunnel traffic separated from general internet access/web surfing. I'm trying to move the tunnels from the current interface on our head office firewall to a new interface. I thought this should be pretty easy - change the peer IP addresses and make sure that I've got a static routing entry set so that VPN tunnel traffic exits the proper interface, but I'm having a terrible time. I've been using the ASDM interface and I'm thinking that might be the source of my issue.

Can anyone confirm that what I want (move only the VPN tunnels from e0/0 to e0/2) is indeed possible? Any help on the actual configuration would be greatly appreciated as well.

Thanks!
Greg

HEAD OFFICE firewall

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 207.x.x.122 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/2

description Internet link for all tunnel traffic

speed 100

duplex full

nameif VPN_outside

security-level 0

ip address 206.y.y.202 255.255.255.248

object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.254.0
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.254.0
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
object network obj-192.168.30.0
subnet 192.168.30.0 255.255.254.0
object network obj-192.168.40.0
subnet 192.168.40.0 255.255.254.0
object network obj-192.168.250.0
subnet 192.168.250.0 255.255.254.0
object network Massey-Data
subnet 192.168.80.0 255.255.255.0
object network Massey-Voice
subnet 192.168.86.0 255.255.255.0
object network Stratford-Data
subnet 192.168.70.0 255.255.255.0

object-group network Massey_Traffic
network-object object Massey-Data
network-object object Massey-Voice
object-group network Stone_Traffic
network-object object obj-192.168.1.0
network-object object obj-192.168.10.0
network-object object obj-192.168.30.0
network-object object obj-192.168.40.0
network-object object obj-192.168.100.0
network-object object obj-192.168.250.0
network-object object obj-192.168.4.0
object-group network Stratford_Traffic
network-object object Stratford-Data

access-list VPN_outside_access_out extended permit ip any any

access-list outside_stratford extended permit ip object-group Stone_Traffic object-group Stratford_Traffic

access-list global_mpc extended permit ip any any

access-list outside_massey extended permit ip object-group Stone_Traffic object-group Massey_Traffic

nat (inside,outside) source static Stone_Traffic Stone_Traffic destination static Massey_Traffic Massey_Traffic no-proxy-arp route-lookup

nat (inside,outside) source static Stone_Traffic Stone_Traffic destination static Stratford_Traffic Stratford_Traffic no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface dns

access-group outside_access_out out interface outside

access-group inside_access_out out interface inside

access-group VPN_outside_access_out out interface VPN_outside

route outside 0.0.0.0 0.0.0.0 207.x.x.121 1

route VPN_outside 0.0.0.0 0.0.0.0 206.y.y.201 10

route inside 192.168.4.0 255.255.254.0 192.168.1.252 1

route inside 192.168.10.0 255.255.254.0 192.168.1.252 1

route inside 192.168.30.0 255.255.254.0 192.168.1.252 1

route inside 192.168.40.0 255.255.254.0 192.168.1.252 1

route inside 192.168.100.0 255.255.255.0 192.168.1.252 1

route inside 192.168.250.0 255.255.254.0 192.168.1.252 1

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto map outside_map 1 match address outside_stratford

crypto map outside_map 1 set peer 207.a.a.4

crypto map outside_map 1 set ikev2 ipsec-proposal AES

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_massey

crypto map outside_map 2 set peer 206.b.b.186

crypto map outside_map 2 set ikev2 ipsec-proposal AES AES192 AES256

crypto map outside_map interface outside

tunnel-group 207.a.a.4 type ipsec-l2l

tunnel-group 207.a.a.4 general-attributes

default-group-policy DfltGrpPolicy-Stratford

tunnel-group 207.a.a.4 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group 206.b.b.186 type ipsec-l2l

tunnel-group 206.b.b.186 ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

crypto ikev2 policy 1

encryption aes

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes

integrity md5

group 2

prf md5

lifetime seconds 86400

crypto ikev2 enable outside

RemoteSite 1

crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto map corvette 1 match address VPNtraffic
crypto map corvette 1 set peer 207.x.x.122
crypto map corvette 1 set ikev2 ipsec-proposal AES
crypto map corvette interface outside

nat (inside,outside) source static Stratford_Traffic Stratford_Traffic destination static Stone_Traffic Stone_Traffic no-proxy-arp route-lookup

no crypto isakmp nat-traversal
crypto ikev2 policy 1
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside

tunnel-group StratfordVPN type remote-access
tunnel-group StratfordVPN general-attributes
default-group-policy StratfordPolicy
tunnel-group StratfordVPN webvpn-attributes
group-alias Stratford enable
tunnel-group 207.x.x.122 type ipsec-l2l
tunnel-group 207.x.x.122 general-attributes
default-group-policy StratfordPolicy
tunnel-group 207.x.x.122 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-04-2012 01:41 PM

Your basic approach is on track. I believe you have a routing issue though.

I see your external routes setup with:

route outside 0.0.0.0 0.0.0.0 207.x.x.121 1

route VPN_outside 0.0.0.0 0.0.0.0 206.y.y.201 10

Since neither is more specific, what would force the ASA to route traffic destined for your VPN peer out the (higher metric!) VPN_Outside interface eth0/2?

I'd put a /32 route for each of your remote peers in place like:

route VPN_outside 255.255.255.255 206.y.y.201

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-04-2012 01:41 PM

Your basic approach is on track. I believe you have a routing issue though.

I see your external routes setup with:

route outside 0.0.0.0 0.0.0.0 207.x.x.121 1

route VPN_outside 0.0.0.0 0.0.0.0 206.y.y.201 10

Since neither is more specific, what would force the ASA to route traffic destined for your VPN peer out the (higher metric!) VPN_Outside interface eth0/2?

I'd put a /32 route for each of your remote peers in place like:

route VPN_outside 255.255.255.255 206.y.y.201

0 Helpful

Go to solution
frederic_hohn
Level 1
Level 1

‎09-04-2012 02:03 PM

Routing is one thing to fix, next you need to enable ike on your new interface. Also bind your crypto map to the new interface, both are binded on your Interface outside

Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
frederic_hohn
Level 1
Level 1

‎09-04-2012 02:09 PM

There is no pat configured on your second outside Interface

Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to frederic_hohn

‎09-04-2012 02:14 PM

Good catch on the maps and ike, Frederic. I agree.

no crypto map outside_map interface outside

crypto map outside_map interface VPN_outside

no crypto ikev2 enable outside

crypto ikev2 enable VPN_outside

If he's not doing anything other than VPN traffic (wrapped in IPSec) out the new interface, there shouldn't be any need for NAT/PAT, yes?

0 Helpful

Go to solution
frederic_hohn
Level 1
Level 1

‎09-04-2012 09:51 PM

Probably Not for ipsec itself, but it might be better to be able to reach the isp router from inside for monitoring and later needs. I would configure it allways on an outside interface.

Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
gregbeifuss
Level 1
Level 1

‎09-15-2012 10:00 PM

Thanks for the feedback, Frederic & Marvin. I'd forgotten the route statement to force VPN traffic out the other interface. Adding it fixed my issue.


Thanks!
Greg

0 Helpful
Customers Also Viewed These Support Documents